基于Windows日志的安全审计技术研究

©1994-2010ChinaAcademicJournalElectronicPublishingHouse.Allrightsreserved.:(Y2006G20):(1984-),,,:100224026(2009)0120040206Windows,,(,250014):,Windows,APIWindows,Windows:;;:TP393:AResearchonWindowsLogBasedSecurityAuditTechnologyNingXing2wang,LIUPei2yu,KONGXiang2xia(SchoolofInformationScienceandEngineering,ShandongNormalUniversity,Jinan250014,China)Abstract:Aneventlogrecordssomeimportanteventsofanoperatingsystemoranapplicationprocedure.Itistheprimarypurposeofasecurityaudittodiscovertherequiredinformationandrulesofaneventbytheanalysisofalog.Thispaperdiscussesthecentralandglobalmanagmentofwindowssystemlogfiles,employssuchatechanologyasAPIhooktoacquiretheauditdataofwindowssystem,andpresentsahostloganalysisbasedsecurityaudituniversalmodelbytheanalysisofawindowslog.Keywords:hostlog;securityaudit;computersecurity,Internet,,,IDS(),,,[1],(TrustedComputerSystemEvaluationCriteria),:1:,:(1):,,()22120092SHANDONGSCIENCEVol.22No.1Feb.2009©1994-2010ChinaAcademicJournalElectronicPublishingHouse.Allrightsreserved.(2):,,;,,(3):,1Windows,:,,,,,,:;;;;;,,,,,,,,,,:(1),(2),(3),:(1)(2)(3)(4)(5)(6),,()2,,,,141,:Windows©1994-2010ChinaAcademicJournalElectronicPublishingHouse.Allrightsreserved.(1),,,,BPS,,:,,;,,()[2](2),,,,[3]242009©1994-2010ChinaAcademicJournalElectronicPublishingHouse.Allrightsreserved.[4](3),,,,,,,2.22.2.1,,,,,,,,,,(adapter),,,,[5]:typedefstruct{timetlogtime[32];unsignedcharlogchar[32];unsignedshortlogshort[32];unsignedintlogint[32];unsignedlongloglong[32];addresslogaddr[32];ncharlognchar[32];nshortlognshort[32];nintlognint[32];}LOG;,LOG,2.2.2,,WindowsAPIWindowsAPIAPIHookAPI,APIWin32PE,PEIMPORTTABLEAPIAPIPEAPIIMPORTTABLEAPI,APIAPI,API,CALL,IMPORTTABLEAPI,APIAPI,API:IMPORTTALBE,API,API,,341,:Windows©1994-2010ChinaAcademicJournalElectronicPublishingHouse.Allrightsreserved.(provider):,Insert()Get()LogProviderInsert()Get(),LogProviderCollection,LogProviderConfigurationSection,Insert()Get()2.2.3,,,,,,DoS,,,,,,2.3:,,,,,,,,Windows:(1),,,,,:,(2)[6],,,,,,,(3),,,,,[7],[8],,;,,,,,,,,(4),Windows,,,,,442009©1994-2010ChinaAcademicJournalElectronicPublishingHouse.Allrightsreserved.(),,,Windows,,,,:(1)LinuxWindows,Linux,,Linux;(2),,,,:[1],,,,.[J].,2002,6(28):17-19.[2].[M].:,2005.[3]HAINESJ,RYDERDK.Validationofsensoralertcorrelators[J].IEEESecurity&Privacy,2003,1(1):46-56.[4]SCHNEIERB.AttackTrees:ModelingSecurityThreats[J].Dr.DobbsJournal,1999,12(24):21-29.[5],.[J].,2006,22(32):67-68.[6],.[J].,2006,16(4):221-227.[7],,,.[J].,2005,25(7):1526-1529.[8],,.[J].,2001,38(6):727-734.(30)C2V,,:[1]CHANFT,VESEL.ActiveContourswithoutEdges[J].IEEETransImageProcessing,2001,10(2):266-277.[2]KASSM.SNAKE.ActiveContourModels[J].InternationalJournalofComputerVision,1988(1):321-331.[3]OSHERS,SETHIANJ.FrontsPropagatingwithCurvature2DependentSpeed:AlgorithmsBasedonHamilton2JacobiFormulation[J].J.Comput.Phys,1998,79:12-49.[4],,.MumfordShah[J].,2002,25(11):1176-1182.[5].PDE[D].:,2006.[6].[M].:,1995.541,:Windows